What is MITRE D3FEND?
MITRE D3FEND is a knowledge model for cyber defence techniques developed by MITRE Corporation. It is intended as the counterpart to MITRE ATT&CK and focuses on protection, detection and response measures against cyber threats.
D3FEND provides structured terminology and relationships between defensive measures, allowing organisations to plan, improve and communicate their security architecture in a consistent way.
π§ How does MITRE D3FEND work?
- D3FEND describes techniques that organisations use to defend themselves against attacks
- The model is tactical and technical, divided into five main areas:
- Harden β strengthening systems against abuse
- Detect β identifying threats
- Isolate β separating or containing threats
- Deceive β misleading attackers
- Evict β removing threats
- Each technique is linked to ATT&CK techniques β so you can see which defence works against which attack
- The model is publicly available at d3fend.mitre.org
D3FEND is a taxonomy of defensive capabilities, just as ATT&CK is for attacks.
π Application of MITRE D3FEND in industrial networks
- Match defensive measures with known OT attack techniques from MITRE ATT&CK for ICS
- Substantiate the choice of technical controls in a Defense in Depth architecture
- Use D3FEND as a guide for SIEM, SOAR, Endpoint Detection (EDR), Firewall rules and network segmentation
- Apply when designing SOC use cases, Threat Hunting or Incident Response
- Helps with compliance with standards such as IEC 62443 or NIS2
In an OT context, D3FEND helps link defensive measures to known attack patterns.
π D3FEND categories
| Category | Description | Example measures |
|---|---|---|
| Harden | Reduce the attack surface | Least Privilege, RBAC, Whitelisting |
| Detect | Discover unwanted activity | SIEM, anomaly detection, EDR |
| Isolate | Limit an attackerβs freedom of movement | VLAN, Firewall, microsegmentation |
| Deceive | Mislead attackers | Honeypots, decoy credentials, deception grids |
| Evict | Remove intruders and recover | Incident Response, re-imaging, blocklists |
π Security considerations
- D3FEND is not itself a tool, but a knowledge model for structuring defence
- Helps organisations make risk-driven choices about security measures
- Supports gap analysis: which layers of defence are missing?
- Compatible with MITRE ATT&CK, NIST, CISA guidelines and IEC 62443
Linking D3FEND to ATT&CK provides a complete view of both attacks and defence.
π In summary
MITRE D3FEND is a structured model for cyber defence techniques, intended to organise, link and improve security measures in a logical way. In OT, it helps strengthen systems against known attack techniques from MITRE ATT&CK for ICS.